KR100543630B1 - Method for broadcast encryption and key revocation of stateless receivers - Google Patents

Abstract

A tree is used to partition stateless receivers in a broadcast content encryption system into subsets. Two different methods of partitioning are disclosed. When a set of revoked receivers is identified, the revoked receivers define a relatively small cover of the non-revoked receivers by disjoint subsets. Subset keys associated with the subsets are then used to encrypt a session key that in turn is used to encrypt the broadcast content. Only non-revoked receivers can decrypt the session key and, hence, the content.

Description

Method for broadcast encryption and key revocation of stateless receivers

The present invention relates to the broadcast of data encryption using an encryption key.

US 6,118,873 discloses a system for encrypting broadcast music, video and other content. In this patent, only authorized player-recorders may play / play or copy content in accordance with rules established by the content vendor. In this way, it is possible to prevent illegal copying of content that is currently costing content providers billions of dollars each year.

According to the encryption method disclosed in the aforementioned patent publication, the device key is sent from the device key matrix implemented in software to authenticated player-recorders. These keys can be sent to each other simultaneously or over time, but in either case no play-recorder is supposed to have more than one device key per column of the matrix. Although two devices share the same key in the same column, it is very unlikely that any two devices will share exactly the same set of keys from all columns of the matrix if the keys are randomly assigned. These keys are used to decrypt the content.

If a device (and key) is intentionally or accidentally compromised, it is necessary to revoke the device's key. By effectively withdrawing a set of keys, a damaged device (and its duplicate) cannot play the content created after the withdrawal. In the above patent, about 320 message bytes are needed for each withdrawal. Although effective, it is desirable to reduce the length of the revocation message for better efficiency.

Although the system disclosed in the aforementioned patent is effective, due to the size constraints of the header area of the message (referred to herein as "media key block"), there is a relatively limited number of revocations (eg DVDs) during the lifetime of the system. In the case of a 3B header such as audio, only 10,000) can be made. This number can be increased by increasing the header size, but the added revocation is only applicable to newly created devices, and difficult to apply to devices made before the header size is increased. It is desirable to be able to perform multiple withdrawals for both " old " and " new " devices, i.e. can be responsible for stateless receivers. In addition, since one or more devices share a particular key with a compromised device in the aforementioned patent invention, revoking a set of device keys results in the revocation of some keys owned by the intact device. Therefore, it is desirable to reduce the incidental withdrawal to "good" devices, so that the likelihood is preferably zero.

Moreover, the present invention relates to a difficult scenario of "stateless" receivers, i.e., receivers that do not necessarily update their cryptographic state between broadcasts to accept countermeasures for compromised devices. For example, a television that subscribes to a paid channel may cut off energy in its set-top box while the updated encrypted data is broadcast across the system. Such a device is "stateless" if it becomes unable to update itself after being energized again, and thus may not have the necessary updates for future content decryption.

In addition, there is an increasing need to protect the content of media such as CDs and DVDs that are sold to the public and where it is desirable to prevent illegal copying. Recorders in such systems generally do not interact with the player, and since no player receives every disc sold, the player will not obtain all possible pieces of encrypted data update. Thus, as will be appreciated, content protection of media sold is an example of one problem related to broadcast encryption for stateless receivers.

Moreover, the presence of a number of "bad" manufacturers (i.e., manufacturers who legally and illegally obtain keys and manufacture large quantities of unauthorized devices with keys) is also a problem. It is desirable to identify a number of potential defectors.

Other methods of broadcasting ciphers include those disclosed in "Broadcast Encryption" (Fiat et al., Crypto '93, LINCS vol. 839, pp 257-270, 1994). This method eliminates any number of receivers as long as up to "t" receivers of the receivers collude with each other. However, Fiat's method requires a relatively long message length, a relatively large number of keys must be stored in the receiver, and each receiver must perform one or more decryption operations. Moreover, Fiat's method does not consider a stateless receiver scenario. There is a need to avoid guessing assumptions about how many receivers will conspire. In addition, the message size and the number of stored keys should be minimized, and the decryption operation to be performed by the receiver should be minimized for performance optimization.

Other cryptosystems, such as Fiat's system, do not provide a stateless receiver scenario and, therefore, cannot be effectively applied to content protection in a recording medium. Examples of such systems include "Key management for multicast: Issues and Architectures" by Wallner et al. (IETF draft wallner-key, 1997), "Secure Group Communication using key graphs" by Wong et al. (SIGCOM 1998), Canetti et al. "Multicast Security: A Taxonomy and Some Efficient Constructions, Proc. Of INFOCOM, '99. Vol. 2. pp 708-716 (1999), Canetti et al.," Efficient Communication-storage Tradeoffs for Multicast Encryption "(Eurocrypt 1999, pp 459-474), McGrew et al., "Tree Establishment in Large Dynamic Groups Using One-Way Function Trees" (Submitted to IEEE Transactions on Software Engineering, 1998). In more detail with Wallner et al. And Wong et al., Keys are assigned by assigning an independent label to each node in the binary tree. Obviously, this method would be inadequate for stateless receiver scenarios, even if the revocation associated with label changes for all nodes is done in batch, at least in log N at the receiver. Decryption and rlog N transmission, which, unfortunately, will be a relatively high number (where r is the number of devices to be withdrawn and N is the total number of receivers in the system).

Accordingly, the present invention provides a method for broadcast encryption, the method comprising assigning individual personal information I _u to each of a group of users, selecting at least one session encryption key K; Dividing the users that do not belong to the withdrawal set R into disjoint subsets S _i1 , ... S _im with associative subset keys L _i1 , ... L _im , and dividing the session key K; Encrypting with the subset key L _i1 , ... L _im to create m encrypted versions for session key K.

The method further comprises dividing the users into groups S ₁ ,..., S _w , where "w" is an integer, the group forming a bootie in the tree.

Preferably, the tree is a full binary tree.

The method preferably further comprises using personal information I _u to decrypt the session key.

Preferably, the decryption operation comprises using the information i _j so that the user belongs to the subset S _ij , and retrieving the subset key L _ij using the user's personal information.

Preferably, each subset S _i1 , ... S _im includes all the leaves of the bootie rooted at any node v _i , at least each node in the bootie having a respective subset key. Is associated with.

Preferably, the content is provided to the user with at least one message defining the header, the header comprising at most r * log (N / r) subset keys and passwords, r being the number of users of the withdrawal set R. Where N is the total number of users.

Preferably, each user should store log N keys, where N is the total number of users.

Preferably, content of at least one message is provided to users, where each user processes the message using at most log log N operations and one decryption operation, where N is the total number of users.

Preferably, the withdrawal set R defines a spanning tree, and the booties with roots attached to the nodes of the spanning tree define a subset.

Preferably, the tree comprises a root and a plurality of nodes, each node having at least one associated label, each subset being any of the descendants of v _i while in a bootie rooted at any node v _i . This includes all leaves that do not belong in the bootie rooted at another node v _j .

Preferably, the content of at least one message defining the header is provided to the user, the header comprising a maximum of 2r-1 subset keys and ciphers, where r is the number of users of the withdrawal set R.

Preferably, each user should store .5 (logN) ² + .5log N +1 keys, where N is the total number of users.

Preferably, the user is provided with content of at least one message, each user processing a message using at most log N operations and one decryption operation, where N is the total number of users.

Preferably, the retract set R defines a spanning tree, and the method initializes the cover tree T as a spanning tree, and removes nodes from the cover tree T until the cover tree T has at most one node. Removing and repeating adding nodes to the cover tree T.

Preferably, each node has at least one label possibly derived by at least one of its ancestors and hangs from the direct path rather than the nodes on the direct path between the user and the route. Labels of nodes are assigned to each user.

Preferably, labels are assigned to a subset using a pseudorandom sequence generator, and the decoding operation includes evaluating the pseudorandom sequence generator value.

Preferably, the content is provided to the user in at least one message defining a header comprising the cryptographic function E _L , the method comprising prefix-truncate the cryptographic function E _L.

Preferably, the tree comprises a root and a number of nodes, each node having an associated key, and each user is assigned a key from all nodes on the direct path between the user and the leaf representing the root.

Preferably, the content is provided to the user in at least one message defining a plurality of portions, each portion being encrypted with a respective session key.

The present invention preferably provides a computer program device, comprising program instructions available by the computer, using logic means for accessing the tree to identify a plurality of subset keys, and using a session key Logic means for encrypting the message, logic means for encrypting the session key at least once using respective subset keys to create an encrypted version of the session key, and a session key in a message header at a plurality of stateless receivers. Logic means for transmitting the encrypted version.

The computer program device preferably comprises logic means for dividing receivers which do not belong to the withdrawal set R into disjoint subsets S _i1 , ... S _im having a link and subset key L _i1 , ... L _im . It includes more.

The computer program device preferably further comprises means for dividing users into groups S _i , ... S _w , where "w" is an integer, said groups forming a bootie in the tree.

The computer program device preferably further comprises logic means for using the personal information I _u for session key decryption.

Preferably, the decryption means further comprises means for retrieving the key L _{i, j} from the receiver's personal information using the information i _j that the receiver belongs to the subset S _{i, j} .

Preferably, each subset S _i1 , ... S _im includes all the leaves of the bootie rooted at any node v _i , and at least each node in the bootie is associated with each subset key. It is.

Preferably, the logic means provides the content to the receivers with at least one message defining a header, the header comprising up to r * log (N / r) subset keys and ciphers, r being a retracted set R Is the number of users, N is the total number of users.

Preferably, each receiver must store log N keys, where N is the total number of receivers.

Preferably, the logic means provides the receiver with content of at least one message, each receiver processing the message using at most log log N operations and one decryption operation, where N is the total number of receivers. .

Preferably, the withdrawal set R defines a spanning tree, and the booties having roots attached to the nodes of the spanning tree define a subset.

Preferably, the tree comprises a root and a plurality of nodes, each node having at least one associated label, each subset being any of the descendants of v _i while in a bootie rooted at any node v _i . This includes all leaves that do not belong in the bootie rooted at another node v _j .

Preferably, the logic means provides the receivers with content in at least one message defining a header, the header comprising at most 2 r-1 subset keys and ciphers, where r is the number of receivers in the retract set R. .

Preferably, each receiver must store .5 (logN) ² + .5log N +1 keys, where N is the total number of receivers.

Preferably, the logic means provides the content of at least one message to the receiver, and each receiver processes the message using at most log N operations and one decryption operation, where N is the total number of receivers.

Preferably, the retract set R defines a spanning tree, and the computer program device comprises logic means for initializing the cover tree T as the spanning tree, and nodes from the cover tree T until the cover tree T has at most one node. Means for iteratively performing the operation of removing them and adding nodes to the cover tree T.

Preferably, the logic means assigns labels to receivers using a pseudorandom sequence generator, which labels derive a subset key.

Preferably, the decoding means comprises means for obtaining the pseudorandom sequence generator value.

Advantageously, the logic means provides to the receivers content in at least one message defining a header comprising a cryptographic function E _L , wherein the computer program device performs prefix-truncate the cryptographic function E _L. Logic means for the control.

Preferably, the tree comprises a root and a number of nodes, each node having an associated key, and logic means assigns to each receiver the keys of all nodes on the direct path between the receiver and the leaf representing the route.

Preferably, the logic means provides the receiver with content in at least one message defining a plurality of portions, each portion being encrypted with a respective session key.

The present invention preferably comprises the steps of a computer encrypting the broadcast content and transmitting the broadcast content to a plurality of good state non-holding receivers and at least one revocation receiver, wherein each good state non-maintaining receiver is capable of content. And the revocation receiver provides a computer programmed with instructions to execute a method comprising the step of not being able to decrypt the content.

Advantageously, the method comprises assigning individual personal information I _u to each of a group of receivers, selecting at least one session encryption key K, and associating all receivers that do not belong to the withdrawal set R; set keys L _i1, ... disjoint subsets having L _im S _i1, ... S and dividing by _im, the session key K to the subset key L _i1, ... L _im to encrypt Generating m encrypted versions of session key K.

Preferably, the method further comprises dividing the users into groups S ₁ , ..., S _w , where "w" is an integer and the group forms a bootie in the tree.

Preferably, the tree is a full binary tree.

The method preferably further comprises using personal information I _u to decrypt the session key.

Preferably, the decode operation performed by the computer includes the step of the receiver sub-set using the personal information of the information; and a receiver using a i _j that belongs to the S _ij retrieve the key L _ij.

Preferably, each subset S _i1 , ... S _im includes all the leaves of the bootie rooted at any node v _i , and at least each node in the bootie is associated with each subset key. .

Preferably, the content of at least one message defining the header is provided to the receiver, the header comprising at most r * log (N / r) subset keys and ciphers, where r is the number of receivers in the withdrawal set R , N is the total number of receivers.

Preferably, each receiver must store log N keys, where N is the total number of receivers.

Preferably, at least one message content is provided to the receivers, with each receiver processing the message using at most log log N operations and one decryption operation, where N is the total number of receivers.

Preferably, the withdrawal set R defines a spanning tree, and the booties having roots attached to the nodes of the spanning tree define a subset.

Preferably, the tree comprises a root and a plurality of nodes, each node having at least one associated label, each subset being any of the descendants of v _i while in a bootie rooted at any node v _i . This includes all leaves that do not belong in the bootie rooted at another node v _j .

Preferably, the content of at least one message defining the header is provided to the receiver, wherein the header includes at most 2r-1 subset keys and ciphers, where r is the number of receivers in the withdrawal set R.

Preferably, each receiver must store .5 (logN) ² + .5log N +1 keys, where N is the total number of receivers.

Preferably, the receiver is provided with content in at least one message, and each receiver processes the message using one decryption operation in addition to up to log N operations, where N is the total number of receivers.

Preferably, the retract set R defines a spanning tree, and the method performed by the computer comprises initializing a cover tree T as a spanning tree, from the cover tree T until the cover tree T has at most one node. Removing the nodes and adding the nodes to the cover tree T.

Preferably, the computer assigns labels to receivers of the tree using a pseudorandom sequence generator.

Advantageously, the step of decrypting performed by the computer comprises obtaining the pseudorandom sequence generator value.

Preferably, content is provided to the receiver in at least one message defining a header comprising a cryptographic function E _L , and the method performed by the computer comprises prefix-truncate the cryptographic function E _L. It includes.

Preferably, content in at least one message defining a plurality of portions is provided to the receiver, each portion being encrypted with a respective session key.

Preferably, each node has a plurality of labels and each ancestor of the node derives each label, and each user is assigned labels from all the nodes hanging off the direct path between the user and the root. do.

The present invention preferably includes a method of broadcasting a password. The method includes allocating individual personal information I _u to each of a group of users, selecting at least one session encryption key K, and assigning the users to groups S ₁ ,..., S _w . Dividing-"w" is an integer, said group forming a bootie in the tree, and a disjoint having an associated subset key L _i1 , ... L _im for all receivers not belonging to the withdrawal set R; Dividing into subset S _i1 , ..., S _im , and encrypting the session key K into the subset key L _i1 , ..., L _im to create m encrypted versions of session key K Wherein the tree comprises a root and a plurality of nodes, each node having at least one associated label, each subset being a descendant of v _i , within a bootie rooted at any node v _i . Any other node in the _booty rooted by _{j j} Includes all leaves that do not belong.

The present invention includes potential stateless receivers of a multicast system, wherein the receiver is not in the direct path between the receiver and the root of a tree having a leaf representing the receiver and is out of the integrated path and removes the receiver. At least one data storage for storing a plurality of node labels derived by any node v _i that is an ancestor of the representing leaf, wherein the labels are sent to a receiver to decrypt subset keys derived from the labels. Form the personal information I _u of the receiver available by.

Preferably, the receiver calculates the subset keys of all sets except the direct path set rooted at node v _i by calculating the pseudorandom function value, but cannot calculate any other subset keys.

Preferably, the receiver decrypts the session key using at least one subset key, and the session key is used to decrypt the content.

Preferably, the present invention comprises a content receiver, the receiver comprising: means for storing respective personal information I _u , means for receiving at least one session encryption key K encrypted with a plurality of subset keys; Means for obtaining at least one subset key using said personal information to be able to decrypt a session key K for said content play.

Preferably, the receiver is divided into one of a group of groups S ₁ , ..., S _w ("w" is an integer), which group forms a bootie in the tree defining nodes and leaves.

Preferably, the subset Si ₁ , ..., _Sim derived from the group of groups S ₁ , ..., S _w defines a cover.

Preferably, the receiver receives content consisting of at least one message defining a header, the header comprising at most r * log (N / r) subset keys and ciphers, r being the number of receivers in the withdrawal set R , N is the total number of receivers.

Preferably, the receiver should store log N keys, where N is the total number of receivers.

Preferably, the receiver receives the content of at least one message, and the receiver processes the message using at most log log N operations and one decryption operation, where N is the total number of receivers.

Preferably, the withdrawal set R defines a spanning tree, and the booties having roots attached to the nodes of the spanning tree define a subset.

Preferably, the tree comprises a root and a plurality of nodes, each node having at least one associated label, each subset being any of the descendants of v _i while in a bootie rooted at any node v _i . This includes all leaves that do not belong in the bootie rooted at another node v _j .

Preferably, the receiver receives the content of at least one message defining the header, the header comprising at most 2r-1 subset keys and ciphers, where r is the number of receivers in the withdrawal set R.

Preferably, each receiver must store .5 (logN) ² + .5log N +1 keys, where N is the total number of receivers.

Preferably, the receiver is provided with content in at least one message, and the receiver processes the message using at most log N operations and one decryption operation, where N is the total number of receivers.

Preferably, the receiver decrypts the subset key by obtaining the pseudorandom sequence generator value.

Preferably, the present invention comprises a content receiver, the receiver comprising a data storage device for storing respective personal information I _u and a processing device for receiving at least one session encryption key K encrypted with a plurality of subset keys. And a processing device for obtaining a session key for encrypting content and at least one subset key using the personal information to decrypt the session key K for playing the content.

Preferably, the receiver is divided into one of a group of groups S ₁ , ..., S _w (where "w" is an integer) and the group forms a bootie in the tree.

Preferably, the subset Si ₁ , ..., _Sim derived from the group of groups S ₁ , ..., S _w defines a cover.

Preferably, the receiver receives content consisting of at least one message defining a header, the header comprising at most r * log (N / r) subset keys and ciphers, r being the number of receivers in the withdrawal set R , N is the total number of receivers.

Preferably, the receiver should store log N keys, where N is the total number of receivers.

Preferably, the receiver receives the content of at least one message, and the receiver processes the message using at most log log N operations and one decryption operation, where N is the total number of receivers.

Preferably, the withdrawal set R defines a spanning tree, and the booties having roots attached to the nodes of the spanning tree define a subset.

Preferably, the tree comprises a root and a plurality of nodes, each node having at least one associated label, each subset being any of the descendants of v _i while in a bootie rooted at any node v _i . This includes all leaves that do not belong in the bootie rooted at another node v _j .

Preferably, the receiver receives the content of at least one message defining the header, the header comprising at most 2r-1 subset keys and ciphers, where r is the number of receivers in the withdrawal set R.

Preferably, each receiver must store .5 (logN) ² + .5log N +1 keys, where N is the total number of receivers.

Preferably, the receiver is provided with content of at least one message, and the receiver processes the message using one decryption operation in addition to up to log N operations, where N is the total number of receivers.

Preferably, the receiver decrypts the subset key by obtaining the pseudorandom sequence generator value.

Preferably, the invention of the general form _{<[i i, i 2 ,,} .., i m, E Li1 (K), E Li2 (K), ..., E Lim (K)], F K (M ) Is a medium for storing content messages, where K is the session key, F _K is the encryption primitive, E _K is the crypto primitive, and L _i is the receiver subset in the crypto broadcast system. Are the subset keys associated with them, M is the message part, and i _i , i ₂ ,, .., i _m are the subset of tree nodes that define the cover.

Preferably, cryptographic primitive F _K is implemented by XORing the stream cipher generated by message portion M and session key K.

Preferably, E _L is a prefix-cut specification of the block cipher, l represents a random string whose length is equal to the block length of E _L , K is a shortcut for F _K , and the message is <[i _i , i _{2 ,, .., i m, U} , in the form of _{[Prefix -K- E Li1 (U)} ] / K, ..., Prefix -K- E Lim (U) / K], F K (M)> to be. Preferably, 1 / i _j is encrypted and the message is <[i _i , i ₂ , .., i _m , U, [Prefix _-L- E _Li1 (U / i ₁ )] / K, ..., Prefix _-L- E _Lim (U / i _m ) / K], F _K (M)>.

Preferably, the subset keys are derived from a tree comprising a root and a number of nodes, each node having at least one associative label, each subset being within a bootie rooted at any node v _i . Any leaf that is a descendant of v _i includes all leaves that do not belong in the bootie rooted by v _j .

Preferably, the subset keys are derived from a tree comprising a root and a number of nodes, each node having at least one associated label, each subset being in a bootee rooted at any node v _i . Each node in the bootie is associated with a respective subset key.

Preferably, the splitting operation is performed by the system computer in a receiver system separate from the system computer.

Preferably, the splitting operation is performed by the receiver computer.

Preferably, the receiver derives a subset of the cover.

The invention includes a computer system for performing the invention logic disclosed herein. The invention can also be implemented in a computer program product that can be accessed by a processor to store the invention logic and to execute the logic. Also preferably, the present invention includes a computer-implemented method that follows the logic described below.

The present invention preferably includes a method of grouping users into (nestable) user subsets, each subset comprising a unique, preferably long-life, subset key. Assign each personal information I _u . The method also includes selecting at least one, preferably, short-life, session encryption key K, and a disk having association subset keys L _i1 , ... L _im for users not belonging to the withdrawal set R; And dividing the joint subset S _i1 , ..., S _im . Preferably, to make m encrypted versions of session key K, session key K is encrypted with subset key L _i1 , ... L _im . In one aspect, users can form leaves of a tree, such as a full binary tree, and the subsets _Si , ..., S _im can be derived by the tree.

In a preferred embodiment, the user is initially divided into groups S ₁ , ..., S _w (where "w" is an integer). Preferably, the predetermined transmission selects m groups, such as "cover" for non-retracted users, the cover being defined by the withdrawn user set. The "cover" group preferably forms a bootie (full bootie or the difference between two subtrees) in the tree. The personal information I _u of the user is found as information i _j in the transmission message indicating that the user belongs to a subset S _ij of one of the groups S ₁ , ..., S _w . The subset key L _ij can be obtained or derived using the user's personal information.

In the first embodiment, referred to herein as " complete booties, " each group corresponds to all possible booties in the complete tree. Each user is assigned the keys of all nodes in the direct path between the leaf and tree root representing the user. That is, each subset S _i includes all the leaves in the bootie rooted at any node v _i , and at least each node in the subset is associated with each subset key. In such an embodiment, the content of the message defining the header is provided to the users, the header including a maximum of r * log (N / r) subset keys and passwords, where r is the number of users in the revocation set R and N Is the total number of users. Moreover, each user must store log N keys, and each user processes the message using up to log log N operations and one decryption operation.

In the second embodiment, referred to as the "set difference" method, each group of users can be described as a "tree from the first Booty A except the second Booty B completely contained in A". Corresponds to S ₁ , ..., S _w . Each node in this tree has a set of labels, one unique to the node and the other derived by the ancestor nodes. Each user is assigned labels of all nodes (up to logN labels from each such node) hanging from nodes in the direct path between the receiver and the route but not within the direct path itself. In other words, each subset includes any of the node v _i while the sub-tree to the root of v _i progeny of any other node v _j of all the sub-leaf to the root in the tree that do not belong. One of the subset difference node labels for a particular user is transmitted and provided as that user's personal information. The user can use the labels to generate the subset keys needed for decryption.

In this embodiment, the message header includes a maximum of 2r-1 (average 1.25r) subset keys and passwords, and each user must store .5 (logN) ² + .5log N +1 keys, each user Processes the message using up to log N operations (preferably an application of the pseudorandom generator) and one decryption operation.

As described in detail below with respect to the subset difference method, the withdrawal set R defines a spanning tree. The cover tree T is initialized as a spanning tree, and the method repeats the operation of removing nodes from the cover tree and adding a bootie to the tree until the cover tree T has at most one node. The cover tree T is used to identify subset keys to be used for a particular transmission, and users calculate a pseudorandom sequence generator to derive subset keys from labels. Preferably, for processing efficiency, the revocations are processed in left to right order so that only two withdrawals are kept in memory at a time.

In any particular embodiment, the message header includes an encryption function E _L , and the method includes prefix-cutting the encryption function E _L. Preferably, the message parts are encrypted with each session key.

In another aspect, a computer program device includes a computer program storage device that includes program instructions that can be used by a computer. The program includes logic means for accessing the tree to obtain a plurality of subset keys, and logic means for encrypting the message using the session key. In addition, logic means are provided for encrypting the session key at least once with each subset key to produce encrypted versions of the session key. The logic means then sends an encrypted version of the session key to the plurality of stateless receivers in the header of the message.

In another aspect, a computer may cause a computer to encrypt broadcast content and transmit the broadcast content to a number of good state non-holding receivers and at least one revocation receiver, where each good receiver may decrypt the content. The revocation receiver is programmed with instructions to make the content untranslatable.

In another aspect, a potentially stateless receiver u in a broadcast encryption system is a data storage device that stores respective personal information I _u and a processing device that receives a session encryption key K that is encrypted with a plurality of subset keys. It includes. The session key encrypts the content and the processing device obtains at least one subset key using the personal information to be able to decrypt the session key K for content play. In a preferred embodiment, the receiver is divided into one of a group of groups S ₁ , ..., S _w (where "w" is an integer) and the group forms a bootie in the tree. Once groups S _1, ..., and the unit derived from the set _{S w S i1, ..., S} im defines a cover that is calculated by the receiver or a computer system. Preferably, the tree comprises a root and a plurality of nodes, each node having at least one associated label. Each subset may include any of the nodes v _i while the sub-tree to the root of v _i progeny of any other node v _j of all the sub-leaf to the root in the tree that do not belong.

In a further aspect, the medium is _{<[i i, i 2 ,,} .., i m, E Li1 (K), E Li2 (K), ..., E Lim (K)], F K (M) Stores a content message of &lt; _{RTI ID} = 0.0 &gt;, where K is a session key, F _K is a cryptographic primitive, E _K is a cryptographic primitive, L _i is a subset key associated with receiver subsets in the cryptographic broadcast system, and M Is the message part, and i _i , i ₂ ,, .., i _m are a subset of tree nodes that define the cover.

Preferred embodiments of the present invention will be described by way of example with reference to the accompanying drawings, in which: FIG.

1 is a block diagram of a system according to the present invention.

2 is a flow diagram of general cryptographic logic.

3 is a flow diagram of general decryption logic.

4 is a flow chart of the key assignment portion of the complete Booty method.

5 is a flow diagram for the cryptographic portion of the full booty method.

6 is a flow chart for the decryption portion of the complete Booty method.

7 is a conceptual diagram of a subset of complete Booties.

8 is a conceptual diagram of subsets in a subset difference method.

9 is a conceptual diagram of another form of a subset in the subset difference method. 10 is a flow diagram of logic for defining a cover in a subset difference method.

11 is a conceptual diagram of a tree subset in the subset difference method for explaining key assignment.

12 is a flowchart for the decryption portion of the subset difference method.

13 is a flow diagram of logic for assigning keys in a subset difference method.

14 is a conceptual diagram of a tree subset in the subset difference method.

First, referring to FIG. 1, a system 10 for generating a set of keys in a broadcast content guard system is shown, but such a system is not limited to the system disclosed in the aforementioned patent. "Broadcast" means that a content disc is widely sold from a content provider to multiple receivers simultaneously, via cable (from a satellite source), via wire, or radio frequency (from a satellite source), or From the widespread distribution of programs.

As shown, system 10 includes a keyset definition computer 12 that accesses a keyset definition module 14 that functions as described below. Keysets defined by computer 12 are potentially used by stateless player-recorder devices 160 (also referred to herein as " receivers " or " users "). 160 has a processor inside them for content decryption. Content along with any of the keys to be described below is provided to the respective devices, for example on the media 17 via the device manufacturer 16. The player-recorder device can access its key set to decrypt the content on the media or broadcast it via wireless communication. As used herein, “media” may include, but is not limited to, DVDs, CDs, hard disks, and flash memory devices. In an alternative embodiment, each receiver 16 executes a module 14 that performs the step of calculating a "cover" to be described below by performing the logic given below with retracted receiver sets and described below. Let's do it.

It will be appreciated that a processor associated with module 14 accesses the module to perform the logic shown, which logic is executed by the processor as a series of computer executable instructions. In this specification, there are two ways in which the system 10 can selectively withdraw the broadcast content decryption capability of the compromised receiver 16 without any capability of decrypting the broadcast content by any receiver 16 intact; Discuss the complete subtree method and the subset difference method.

The instructions may be stored on a data storage device having a computer record carrier, such as a computer diskette having a computer usable medium having stored thereon computer record code elements. Or, the instructions may be stored on a DASD array, magnetic tape, conventional hard disk drive, electronic read only memory, physical storage, or other suitable data storage. In an exemplary implementation of the invention, the computer-executable instructions may consist of C ++ compatible lines of code.

The flowcharts disclosed in this specification illustrate a preferred embodiment logic structure of the present invention that may be implemented in computer program software. Those skilled in the art will understand that the flowcharts describe the structure of computer program code elements including logic circuits on integrated circuits that function according to the present invention. Apparently, the present invention is implemented in a basic implementation by machine components that produce program code elements in the form of instructing a digital processing apparatus (ie, a computer) to perform a series of functional operations corresponding to the illustrated procedure.                 

The overall logic according to the preferred embodiment of the present invention implemented by the Booty Difference Method and the Complete Booty Method can be seen with reference to FIG. For the purposes of the present invention, there are N receivers in the system 10 and withdraw the decryption capabilities of these receivers even though the r retracting receivers of the retracting receiver subset R operate in conjunction (by sharing encryption information). It is assumed that it is desirable for some receivers to be able to continue to decrypt. In block 19, the system determines that the long-lived subset keys L ₁ ,... Are in corresponding subsets of subsets S ₁ ,... W _w , which receivers are grouped according to the description below. Is initialized by allocating .L _w , so that each subset S _j has an associated long-life subset key L _j . In the first ("complete subtree") method, subsets covering receivers that do not belong to the withdrawal set are booties created according to the description below. In the second ("subset difference") method, the subsets covering receivers not in the withdrawal set are the difference between the first subset and the small Booty completely contained within the first subset as described below. Is defined by

At block 20, the system is also initiated by supplying each receiver u with personal information I _u useful for decrypting the content. A detailed description of the personal information I _u will be described below. If I _u is secret information provided to receiver u, then each receiver u of S _j can infer L _j from its I _u . As described in more detail below, for a given withdrawal set R, the non-retracted receivers are divided into m disjoint subsets S _i1 , ... S _im and a short-lived session key K with each subset. Encrypted m times as the long-life subset L _i1 , ... L _im associated with S _i1 , ... S _im . The subset keys are explicit subset keys in the full subset method and are derived by the subset label in the subset difference method.

Specifically, at block 22, at least one session key K is selected to encrypt the content broadcast in the message M, either via a wireless or wired communication path, or via a storage medium such as CD and DVD. The session key K is a randomly selected random bit string for each message. Preferably, multiple session keys may be used for each of the messages M to encrypt portions.

In both methods described below, the non-retracting receivers are divided into disjoint subsets _Si , ... S _im at block 24 using the tree. Subsets are sometimes referred to in this specification as "boottrees," in which the first method explicitly considers booties, and in the second method, a "boot tree" is a second part that is completely contained in the first booties in the first bootie. As "except tree". Each subset S _i1 , ... S _im is associated with each subset key L _i1 , ... L _im . Any data tree-like structure will be considered in this specification, but for the sake of explanation the tree is assumed to be a full binary tree.

Proceeding to block 26, generally the session key K is encrypted m times, once with each subset key L _i1 , ... L _im , respectively. The final broadcast ciphertext can be expressed as follows, including the portion between the curly braces ([]) representing the header of the message M and i ₁ , i ₂ ... i _m representing the disjoint subset index.

<[i ₁ , i ₂ ... i _m , E _{Li 1} (K), ..., E _Lim (K)], F _K (M)>

In one embodiment, cryptographic primitive F _K is implemented by XORing the stream cipher generated by message M and session key K. Cryptographic primitive E _L is a method for conveying session key K to receivers 16 using long-life subset keys. It should be understood that all encryption algorithms for F _K and E _L are within the scope of the preferred embodiment of the present invention. One preferred embodiment of E _L may be a Prefix-Truncation specification of a block cipher. Assume that l represents a random string with a length equal to the block length of E _L , and K is a shortcut for cipher F _K having a length of, for example, 56 bits. [Prefix _{-K- E L (l) / K} ] provides a strong encryption. Thus, the prefix-cut header is as follows.

_{<[i i, i 2 ,,} .., i m, U, [Prefix -K- E Li1 (U)] / K, ..., Prefix -K- E Lim (U) / K], F K (M)>.

This has the advantage of reducing the header length to mK-bit instead of about mL-. In the case where the key length of E _L is minimal, the following equation can be used to eliminate the m advantages of the opponent in a bullish attack, because of encrypting the same string l with m different keys. The string l / i _j is encrypted. In other words,

<[i _i , i ₂ ,, .., i _m , U, [Prefix _-L- E _Li1 (U / i ₁ )] / K, ..., Prefix _-L- E _Lim (U / i _m ) / K], F _K (M)>.

Several preferred methods of implementing cryptographic primitives E and F have been described. Reference is now made to FIG. 3 where the decryption logic performed by the receiver 16 is shown. Beginning at block 28, each non-retracting receiver u finds the subset identifier i _j in the ciphertext, which belongs to the subset S _ij . As described below, if the receiver falls within the retracted set R, the result of block 28 will be null. Next, in block 30, the receiver extracts the subset key L _ij corresponding to the subset S _ij using its personal information I _u . Using the subset key, after the session key K is determined at block 32, the message is decrypted using the session key K at block 34.

Two methods for performing the overall logic described above are described below. In each method, a method is used that assigns subsets, assigns keys to subsets, assigns subsets, and covers non-retracting receivers using a disjoint subset from the whole. In each, the set of receivers in the system form a leaf of the tree, such as, but not limited to, a binary complete tree.

The first method to be described is the full Booty method shown in FIGS. 4-7. Beginning with block 36 of FIG. 4, an independent random random subset key L _i is assigned to each node v _i in the tree. This subset key L _i corresponds to the subset containing all the leaves rooted at node v _i . Then, at block 38, each receiver u is provided with all subset keys in the direct path from the receiver to the route. As briefly described with reference to FIG. 7, not only the subset key L _i associated with the node v _i in the receiver u of the subset Si, but also the keys associated with the node P existing between the receivers included in Si and the root of the tree. Is also provided.

When sending a message and wishing to withdraw the message decryption capability of some receivers, the logic of FIG. 5 is invoked to divide the non-retracted receivers into disjoint subsets. Beginning at block 40, a spanning tree is found that is defined by the leaves of the revocation receiver set R. The spanning tree is the minimum bootley of the full binary tree that connects the "retracted" leaves, which can be a Steiner tree. Proceeding to block 42, booties having roots adjacent to primary nodes in the tree (ie, nodes directly adjacent to the minimum tree) are identified. These booties define a "cover" and form a subset S _i1 , ... S _im . The cover includes all non-retracting receivers. Thus, at block 44, session key K is encrypted using the subset keys defined by the cover.

To decrypt the message, each receiver invokes the logic of FIG. It is disclosed in block 46, whether or not by determining whether any ancestor node of the receiver in the set i _1, i ₂ ... i _m in the message header ancestor node of the receiver is associated with a subset key of the cover Judging. In order to determine this, the full Booty method uses the receiver's personal information I _u , which consists of its location in the tree and a subset key associated with the ancestor node. If an ancestor node is found in the message header (indicating that the receiver is a non-retracting receiver), the session key K is decrypted at block 48 using the subset key, and then at block 50 the message is decoded. To be deciphered.

In the fully bootable method, the header contains up to r * log (N / r) subset keys and ciphers. This is also the average number of keys and ciphers. Moreover, each receiver must store log N keys, and each receiver processes the message using a maximum log log N operation and one decryption operation.

Referring now to FIGS. 8-13, a subset difference method for withdrawing receivers is shown. In the subset difference method, each receiver must store a relatively larger number of keys (.5 (logN) ² + .5logN +1 keys) than the full Booty method. However, the message header only contains a maximum of 2r-1 subset keys and a cipher (average 1.25r), which is substantially shorter than the full Booty method. In addition, in the subset difference method, messages are processed using up to log N pseudorandom number generator applications and one decryption operation.

8 and 9, the subset difference method regards the subsets as the difference between the large subsets A and the small subset B completely included in A. Thus, as shown, a large Booty is rooted at node v _i and a small Booty is rooted at v _j , a descendant of v _i . The final subset S _{i, j} consists of all the "yes" leaves below v _i except for the leaves labeled "no" (and painted in a darker color than the leaves labeled "yes"). 9 illustrates this, and the subset S _{i, j} is represented by the regions inside the larger triangle outside the smaller triangle.

When sending a message according to the subset difference method and trying to withdraw the message decryption capability of some receivers, the above-described structure as shown in FIG. 10 is used. Beginning at block 52, a spanning tree is found that is defined by the leaves of the withdrawal receiver set R. The spanning tree is the minimum subset of full binary trees that connect the "retracted" leaves, which can be a strainer tree. Proceeding to block 54, the cover tree T is initialized as a spanning tree. Then, an iterative loop begins where nodes are removed from the cover tree and booties are added to the cover until cover tree T has at most one node. As a result, a cover for non-retracting receivers is defined.

More specifically, leaves v _i and v _j are found in cover tree T, moving from block 54 to block 56 such that their least common cov er v does not contain any other leaves in T. At decision block 57, it is determined whether only one leaf is present in the cover tree T. If more than one leaf exists, the logic and move to v _i a v _l progeny and v _j are the descendants of v _k to the block (58) v _l, v _k is v child (that is, the v and v _l, v s is the direct descendants of v without any intermediate nodes) between the node _k v _l, v _k look for. In contrast, when there is only one leaf in T, the logic moves from decision block 57 to block 60, setting v _i = v _j = sole remaining leaf and at the root of T. Place v and set v _l = v _k = root.

Logic from block 58 or block 60 moves to decision block 62. In the selection block 62, it is determined whether v _l is equal to v _i . Similarly, it is determined whether v _k is equal to v _j . If v _l is not equal to v _i , the logic moves to block 64 to add subset S _{l, i} to T and remove all descendants of v from T to make v a leaf. Similarly, if v _k is not equal to v _j , the logic moves to block 64 to add subset S _{k, j} to T and remove all descendants of v from T to make v a leaf. If no likelihood is determined from block 64 or decision block 62, the logic returns to block 56.

Based on the foregoing overview of the subset difference key assignment method, certain preferred embodiments are now described. If the total number of subsets to which the receiver belongs is N, these subsets can be grouped into logN clusters defined by the first subset i (another subset is subtracted). For each l <i <N corresponding to inner nodes of the entire tree, an independent and random label LABEL _i is selected, which leads to a label for all legal subsets of type S _{i, j} . From the labels, subset keys are derived. 11 illustrates a preferred labeling method to be described below. The node labeled L _i is the root of the subset T _i and its descendants are labeled according to the principles of the invention.

If G is an encrypted pseudorandom sequence generator that triples the input length, G_L (S) represents the third left side of the G output for the seed S, G_R (S) represents the third to the right, and G_M (S) Represents the middle third. Consider Booty Ti of cover tree T rooted at node v _i with label LABEL _i . If this node is labeled S, its two children are labeled G_L (S) and G_R (S), respectively. The subset key L _{i, j} assigned to the set S _{i, j} is G_M of the LABEL _{i, j} label of the node v _j derived from the subset T _i . Each label S derives labels for three parts: the left and right children, and the node's key. Thus, given the label of a node, it is possible to calculate the labels and keys for all its descendants. In a preferred embodiment, function G is a cryptographic hash such as Secure Hashing Algorithm-1, and other functions may be used.

12 shows how receivers decrypt a message according to a subset difference method. Beginning at block 66, the receiver includes the associated label (the portion of the receiver's personal information that allows the receiver to derive LABEL _{i, j} and the subset key L _{i, j} ) and the subset S _{i, j to} which it belongs. Find it. Using the label, the receiver calculates the subset key L _{i, j} by obtaining the maximum N function G values at block 68. The receiver then decrypts the session key K using the subset key in block 70 for subsequent message decryption.

Figure 13 shows how labels and thus subset keys are assigned to receivers in the subset difference method. The labeling method shown in this specification is used to minimize the number of keys that each receiver must store.

Beginning at block 72, labels are provided for each receiver that are derived by any node v _i that is an ancestor of u while not hanging in the direct path between the receiver and the root. These labels form the receiver's privacy I _u at block 74 and subsequent message session keys are encrypted with a subset of keys derived from the labels at block 76.

Referring briefly to FIG. 14, the foregoing principles are described. For all v _i ancestors with label S of receiver u, receiver u receives labels of all nodes 71 that deviate from the direct path from node v _i to receiver u. As will be described in more detail below, these labels are preferably all derived from S. In terms of indication contrast for the full-boot method, in the subset difference method described in Figures 8-14, the receiver u does not receive a label from node 73 in the direct path between receiver u and node v _i . . Using the labels, the receiver u can compute the subset keys of all sets (except the direct path set) rooted at node v _i by obtaining the function G value described above, while the other subset keys can be calculated. none.

Conventional multicast systems lack reverse secrecy, i.e., despite being withdrawn, the receiver constantly listening can record all encrypted content, often afterwards (eg, by re-registration). You can get a valid new key to decrypt old content. Preferred embodiments of the present invention can be used to cure the lack of reverse secrecy in this scenario by including all of the receiver identifiers that have not yet been assigned to the revocation receiver set. This can be done if all receivers are sequentially assigned to the leaves. In this case, the revocation of all unassigned identifiers results in a slight increase in the message header size but not in proportion to the number of such identifiers.

The preferred embodiment of the present invention also recognizes that it is desirable to provide a fast way to have the correct encoding of subset i _j in the message header and to determine if the receiver belongs to subset i _j . Assume that a node is indicated by the path to the root, 0 indicates the left branch and 1 indicates the right branch. The end of the path is marked as 1 followed by one or more zero bits. Thus, the root is 1000 ... 000b, the rightmost child of the root is 0100 ... 000b, the leftmost child is 11000 ... 000b, and the leaf is xxxx ... xxxx1b.

As will be appreciated here, since the path of the larger subset root is a subset of the path of the smaller subset root, the subset difference is indicated by adding the path length to the larger subtree root plus the root of the smaller bootie. do. Using this, the receiver can quickly determine if it is within a predetermined subset by executing the following Intel Pentium processor loop.

Out of the loop, the following registers are set up: ECX contains the leaf node of the receiver, ESI points to the message buffer (the first byte is the path length to the large Booty root, and the next four bytes are the small trees). Root), the static table outputs 32 bits when indexed by path length, with the first bit being 1 and the remaining bits being zero.

loop: MOV BYTE EBX, [ESI ++]

MOV DWORD EAX, [ESI ++]

XOR EAX, ECX

AND EAX, TABLE [EBX]

JNZ loop

If the receiver comes out of the loop, it means that he does not necessarily belong to a particular subset. It can be in a small executed subtree, and if so, it should return to the loop. However, in most cases the receivers spend very little processing time in the loop since they have no larger bootstrines.

In a more optimized subset difference method, the system server does not have to remember each and every label, which may reach millions. Instead, the label of the i th node may be a secret function of the node. The secret function, if applied to the number i, could be a triple DES cipher that uses the secret key to make the label of the I node.

Claims (32)

In the method of broadcasting a password, Assigning respective personal information I _u to each user of the user group, Selecting at least one session encryption key K, Dividing users who do not belong to the retraction set R into disjoint subsets S _i1 ... S _im with associative subset keys L _i1 ... L _im , and Encrypting the session key K with a subset key L _i1 ... L _im to produce m encrypted versions of the session key K, Dividing the users into groups S ₁ , .., S _w- " w " is an integer, the groups forming a _{bootie in the} tree, and each subset S _i1 ... S _im defines node v _i Includes all the leaves in the root bootie, at least each node in the bootie is associated with a respective subset key, at least one message content defining a header is provided to users, and the header Contains up to r * log (N / r) subset keys and passwords, where r is the number of users in revocation set R and N is the total number of users How to include. delete delete delete 2. The method of claim 1, wherein the revocation set R defines a spanning tree, and booties having a root attached to nodes of the spanning tree define a subset. The method of claim 1, wherein the tree is a root and a number of, and comprising nodes, each node having at least one associated label, and each sub-set are belonging Rie boot to any node v _i to the root of v _i Any other node that is a descendant v A way to include all leaves that do not belong to the bootie rooted by _{j j} . In the method of broadcasting a password, Assigning respective personal information I _u to each user of the user group, Selecting at least one session encryption key K, Dividing users who do not belong to the retraction set R into disjoint subsets S _i1 ... S _im with associative subset keys L _i1 ... L _im , and Encrypting the session key K with a subset key L _i1 ... L _im to produce m encrypted versions of the session key K, Dividing the users into groups S ₁ , .., S _w- "w" is an integer and the group forms a bootie in the tree, the tree comprising a root and a plurality of nodes, each node having at least one comprises an associated label, each sub-set comprises an arbitrary node v _i the while remaining within the subtree of the root v _i of the progeny of any other node v _j every leaf in a portion of a routing tree that does not belong, and At least one message content defining the header is provided to the users and the header contains a maximum of 2r-1 subset keys and a password (r is the number of users of the revocation set R). How to include. In the method of broadcasting a password, Assigning respective personal information I _u to each user of the user group, Selecting at least one session encryption key K, Dividing users who do not belong to the retraction set R into disjoint subsets S _i1 ... S _im with associative subset keys L _i1 ... L _im , and Encrypting the session key K with a subset key L _i1 ... L _im to produce m encrypted versions of the session key K, Dividing the users into groups S ₁ , .., S _w- "w" is an integer and the group forms a bootie in the tree, the tree comprising a root and a plurality of nodes, each node having at least one comprises an associated label, each sub-set comprises an arbitrary node v _i the while remaining within the subtree of the root v _i of the progeny of any other node v _j every leaf in a portion of a routing tree that does not belong, and Each user must store .5 (logN) ² + .5logN + 1 key, where N is the total number of users. How to include. In the method of broadcasting a password, Assigning respective personal information I _u to each user of the user group, Selecting at least one session encryption key K, Dividing users who do not belong to the retraction set R into disjoint subsets S _i1 ... S _im with associative subset keys L _i1 ... L _im , and Encrypting the session key K with a subset key L _i1 ... L _im to produce m encrypted versions of the session key K, Dividing the users into groups S ₁ , .., S _w- "w" is an integer and the group forms a bootie in the tree, the tree comprising a root and a plurality of nodes, each node having at least one comprises an associated label, each sub-set comprises an arbitrary node v _i the while remaining within the subtree of the root v _i of the progeny of any other node v _j every leaf in a portion of a routing tree that does not belong, and Content is provided to users in at least one message, and each user processes the message using up to log N operations and one decryption operation, where N is the total number of users. How to include. In the method of broadcasting a password, Assigning respective personal information I _u to each user of the user group, Selecting at least one session encryption key K, Dividing users who do not belong to the retraction set R into disjoint subsets S _i1 ... S _im with associative subset keys L _i1 ... L _im , and Encrypting the session key K with a subset key L _i1 ... L _im to produce m encrypted versions of the session key K, Dividing the users into groups S ₁ , .., S _w- "w" is an integer and the group forms a bootie in the tree, the tree comprising a root and a plurality of nodes, each node having at least one comprises an associated label, each sub-set comprises an arbitrary node v _i the while remaining within the subtree of the root v _i of the progeny of any other node v _j every leaf in a portion of a routing tree that does not belong, and , The retraction set R defines a spanning tree and the method Initializing a cover tree T as the spanning tree; Removing the nodes from the cover tree T and adding the nodes to the cover tree until the cover tree T has at most one node. How to include. In the method of broadcasting a password, Assigning respective personal information I _u to each user of the user group, Selecting at least one session encryption key K, Dividing users who do not belong to the retraction set R into disjoint subsets S _i1 ... S _im with associative subset keys L _i1 ... L _im , and Encrypting the session key K with a subset key L _i1 ... L _im to produce m encrypted versions of the session key K, Dividing the users into groups S ₁ , .., S _w- "w" is an integer and the group forms a bootie in the tree, the tree comprising a root and a plurality of nodes, each node having at least one comprises an associated label, each sub-set comprises an arbitrary node v _i the while remaining within the subtree of the root v _i of the progeny of any other node v _j every leaf in a portion of a routing tree that does not belong, and Each node has at least one label derivable by at least one of its ancestors, and each user is assigned a label of all nodes hanging off the direct path without belonging to the direct path between the user and the route; How to include. 12. A computer readable recording medium comprising computer program code for causing a computer to perform the steps of the method according to any one of claims 1 to 5 when loaded into and executed on a computer system. In the apparatus for broadcasting a password, Means for assigning respective personal information I _u to each user of the user group, Means for selecting at least one session encryption key K, Means for dividing users who do not belong to the withdrawal set R into disjoint subsets S _i1 ... S _im with associative subset keys L _i1 ... L _im , and Means for encrypting the session key K with a subset key L _i1 ... L _im to produce m encrypted versions of the session key K, Means for dividing the users into groups S ₁ , .., S _w- "w" is an integer, the group forms a bootie in the tree, and each subset S _i1 ... S _im is a node v _i Includes all the leaves in the bootie rooted at, wherein at least each node in the bootie is associated with a respective subset key, at least one message content defining a header is provided to users, The header contains a maximum of r * log (N / r) subset keys and passwords, where r is the number of users in revocation set R and N is the total number of users. Device comprising a. In the method of broadcasting a password, Assigning respective personal information I _u to each user of the user group, Selecting at least one session encryption key K, Dividing users who do not belong to the retraction set R into disjoint subsets S _i1 ... S _im with associative subset keys L _i1 ... L _im , and Encrypting the session key K with a subset key L _i1 ... L _im to produce m encrypted versions of the session key K, comprising at least one message having a header comprising a cryptographic function E _L. Content is provided to the user, the method comprising prefix-truncate the cryptographic function E _L- How to include. In the method of broadcasting a password, Assigning respective personal information I _u to each user of the user group, Selecting at least one session encryption key K, Dividing users who do not belong to the retraction set R into disjoint subsets S _i1 ... S _im with associative subset keys L _i1 ... L _im , and Encrypting the session key K with a subset key L _i1 ... L _im to create m encrypted versions of the session key K, wherein content of at least one message defining a plurality of portions is presented to the user. Provided, each portion encrypted with a respective session key- How to include. A computer program device comprising a computer program storage device comprising program instructions available by a computer, comprising: The computer program storage device Logic means for accessing the tree to identify a plurality of subset keys; Logic means for encrypting the message using the session key; Logic means for encrypting the session key at least once using respective subset keys to produce an encrypted version of the session key, Logic means for sending a session key cryptogram and version in a message header to a plurality of stateless receivers, the logic means providing content to the receiver in at least one message, each receiver having a maximum of log log N operations Message using one decryption operation (where N is the total number of receivers) Computer program device comprising a. A computer program device comprising a computer program storage device comprising program instructions available by a computer, comprising: The computer program storage device Logic means for accessing the tree to identify a plurality of subset keys; Logic means for encrypting the message using the session key; Logic means for encrypting the session key at least once using respective subset keys to produce an encrypted version of the session key, Logic means for sending a session key cryptogram and version in a message header to a plurality of stateless receivers; Logic means for dividing users who do not belong to the withdrawal set R into disjoint subsets S _i1 ... S _im with associative subset keys L _i1 ... L _im ; Logic means for dividing the users into groups S ₁ ,... S _w- "w" is an integer and the group forms a bootie in the tree, the tree comprising a root and a plurality of nodes, each node at least includes a single associated labels, each of the sub-set is any node v _i the while remaining within the subtree of the root v _i of the progeny of any other node v _j every leaf in a portion of the root tree that do not belong The logic means providing the receiver with content in at least one message defining a header, wherein the header includes at most 2r-1 subset keys and a cipher (r is the number of receivers in the revocation set R); Computer program device comprising a. A computer program device comprising a computer program storage device comprising program instructions available by a computer, comprising: The computer program storage device Logic means for accessing the tree to identify a plurality of subset keys; Logic means for encrypting the message using the session key; Logic means for encrypting the session key at least once using respective subset keys to produce an encrypted version of the session key, Logic means for sending a session key cryptogram and version in a message header to a plurality of stateless receivers; Logic means for dividing users who do not belong to the withdrawal set R into disjoint subsets S _i1 ... S _im with associative subset keys L _i1 ... L _im ; Logic means for dividing the users into groups S ₁ ,... S _w- "w" is an integer and the group forms a bootie in the tree, the tree comprising a root and a plurality of nodes, each node at least includes a single associated labels, each of the sub-set is any node v _i the while remaining within the subtree of the root v _i of the progeny of any other node v _j every leaf in a portion of the root tree that do not belong Each receiver must store .5 (logN) ² + .5logN + 1 key (N is the total number of receivers) Computer program device comprising a. A computer program device comprising a computer program storage device comprising program instructions available by a computer, comprising: The computer program storage device Logic means for accessing the tree to identify a plurality of subset keys; Logic means for encrypting the message using the session key; Logic means for encrypting the session key at least once using respective subset keys to produce an encrypted version of the session key, Logic means for sending a session key cryptogram and version in a message header to a plurality of stateless receivers; Logic means for dividing users who do not belong to the withdrawal set R into disjoint subsets S _i1 ... S _im with associative subset keys L _i1 ... L _im ; Logic means for dividing the users into groups S ₁ ,... S _w- "w" is an integer and the group forms a bootie in the tree, the tree comprising a root and a plurality of nodes, each node at least includes a single associated labels, each of the sub-set is any node v _i the while remaining within the subtree of the root v _i of the progeny of any other node v _j every leaf in a portion of the root tree that do not belong Wherein said logic means provides content to the receiver with at least one message and each receiver processes the message using at most log N operations and one decryption operation, where N is the total number of receivers. Computer program device comprising a. A computer program device comprising a computer program storage device comprising program instructions available by a computer, comprising: The computer program storage device Logic means for accessing the tree to identify a plurality of subset keys; Logic means for encrypting the message using the session key; Logic means for encrypting the session key at least once using respective subset keys to produce an encrypted version of the session key, Logic means for sending a session key cryptogram and version in a message header to a plurality of stateless receivers; Logic means for dividing users who do not belong to the withdrawal set R into disjoint subsets S _i1 ... S _im with associative subset keys L _i1 ... L _im ; Logic means for dividing the users into groups S ₁ ,... S _w- "w" is an integer and the group forms a bootie in the tree, the tree comprising a root and a plurality of nodes, each node at least includes a single associated labels, each of the sub-set is any node v _i the while remaining within the subtree of the root v _i of the progeny of any other node v _j every leaf in a portion of the root tree that do not belong Wherein the revocation set R defines a spanning tree and the computer program device Logic means for initializing a cover tree T as the spanning tree; Logic means for repeatedly performing operations of removing nodes from the cover tree T and adding nodes to the cover tree until the cover tree T has at most one node; Computer program device comprising a. A computer program device comprising a computer program storage device comprising program instructions available by a computer, comprising: The computer program storage device Logic means for accessing the tree to identify a plurality of subset keys; Logic means for encrypting the message using the session key; Logic means for encrypting the session key at least once using respective subset keys to produce an encrypted version of the session key, Logic means for sending a session key cryptogram and version in a message header to a plurality of stateless receivers, the logic means providing content to the receiver with at least one message having a header comprising a cryptographic function E _L ; Said computer program apparatus comprising logic means for prefix-cutting cryptographic function E _L- Computer program device comprising a. A computer program device comprising a computer program storage device comprising program instructions available by a computer, comprising: The computer program storage device Logic means for accessing the tree to identify a plurality of subset keys; Logic means for encrypting the message using the session key; Logic means for encrypting the session key at least once using respective subset keys to produce an encrypted version of the session key, Logic means for sending a session key cryptogram and version in a message header to a plurality of stateless receivers, the logic means providing content to the receiver in at least one message defining a plurality of portions, each portion being Encrypted with each session key Computer program device comprising a. Encrypting the broadcast content; Transmitting the broadcast content to a plurality of non-holding receivers and at least one retracting receiver, wherein each non-holding receiver can decrypt the content and the retracting receiver cannot decrypt the content; Dividing the users into groups S ₁ , .., S _w- " w " is an integer, the groups forming a _{bootie in the} tree, and each subset S _i1 ... S _im defines node v _i Includes all of the leaves in the root Booty, at least each node in the Booty is associated with a respective subset key, at least one message content defining the header is provided to the receiver, and the header is Contains up to r * log (N / r) subset keys and ciphers (r is the number of receivers in the retraction set R and N is the total number of receivers) A computer programmed with instructions to cause a computer to execute a method comprising a. Encrypting the broadcast content; Groups S _1, ... of the user, dividing by S _w - _"w" is an integer, the group forms a sub-tree in the tree, and each subset S _i1 ... S _im is the node v _i Includes all the leaves in the rooted bootie, at least each node in the bootie associated with a respective subset key—and, Transmitting the broadcast content to a plurality of non-holding receivers and at least one retracting receiver, wherein each non-holding receiver can decrypt the content and the retracting receiver cannot decrypt the content-at least one message Content is provided to the receivers, and each receiver processes the message using up to log log N operations and one decryption operation (where N is the total number of receivers). A computer programmed with instructions to cause a computer to execute a method comprising a. Encrypting the broadcast content; The broad cast content, a number of non-but sent to maintain the at least one revoked receiver with the receiver each non-holding receiver can decrypt the content revoked receiver comprising: so can decrypt the content-encryption function E _L Wherein at least one message content is provided to the receiver having a header comprising a prefix, the method comprising prefix-cutting the cryptographic function E _L. A computer programmed with instructions to cause a computer to execute a method comprising a. Encrypting the broadcast content; Transmitting the broadcast content to a plurality of non-holding receivers and at least one retracting receiver, wherein each non-holding receiver can decrypt the content and the retracting receiver cannot decrypt the content. The content of at least one message being defined is provided to the receiver, each part being encrypted with a respective session key- A computer programmed with instructions to cause a computer to execute a method comprising a. In the content receiver, Means for storing respective personal information I _u ; Means for receiving at least one session encryption key K encrypted with a plurality of subset keys, wherein the session encryption key K encrypts content; Means for obtaining at least one subset key using the personal information such that the session key K can be decrypted to play the content, the receiver receiving content in at least one message defining a header, The header contains at most r * log (N / r) subset keys and ciphers (r is the number of receivers in the revocation set R and N is the total number of receivers). Receiver comprising a. In the content receiver, Means for storing respective personal information I _u ; Means for receiving at least one session encryption key K encrypted with a plurality of subset keys, wherein the session encryption key K encrypts content; Means for obtaining at least one subset key using the personal information such that the session key K can be decrypted to play the content, the receiver receiving content in at least one message defining a header, The receiver processes the message using up to log log N operations and one decryption operation (N is the total number of receivers). Receiver comprising a. In the content receiver, Means for storing respective personal information I _u ; Means for receiving at least one session encryption key K encrypted with a plurality of subset keys, wherein the session encryption key K encrypts content; Means for obtaining at least one subset key using the personal information such that the session key K can be decrypted to play the content, wherein the receiver comprises at most 2r-1 subset keys and an encryption (r Receive content in at least one message with a header number of revocation sets R) Receiver comprising a. In the content receiver, Means for storing respective personal information I _u ; Means for receiving at least one session encryption key K encrypted with a plurality of subset keys, wherein the session encryption key K encrypts content; Means for obtaining at least one subset key using the personal information such that the session key K can be decrypted to play the content, wherein the receiver receives .5 (logN) ² + .5logN + 1 key (N Should store the total number of receivers) Receiver comprising a. In the content receiver, Means for storing respective personal information I _u ; Means for receiving at least one session encryption key K encrypted with a plurality of subset keys, wherein the session encryption key K encrypts content; Means for obtaining at least one subset key using the personal information such that the session key K can be decrypted to play the content, wherein the content in at least one message is provided to the receiver, the receiver being at most Process the message using log N operations and one decryption operation (N is the total number of receivers) Receiver comprising a. In the content receiver, A data storage device for storing respective personal information I _u ; A processing device for receiving at least one session encryption key K encrypted with a plurality of subset keys, the session key encrypting content, the processing device being capable of decrypting the session key K to play the content; Obtain at least one subset key using personal information, the receiver receiving content in at least one message defining a header, the receiver using a maximum of log log N operations and one decryption operation (N is the total number of receivers) Receiver comprising a.

Images